The European Court of Justice has concluded that Google has to delete search results linking to outdated but lawful content in order to protect the data protection rights of individuals.
The European Court of Justice has published a landmark ruling forcing Google to remove some search results related to Mr Costeja González, a Spanish national, after he claimed the linked information was outdated and irrelevant, giving a wrong impression of him. The links pointed to an archived newspaper page containing a public notice by a tax authority for the auction of Mr Costeja's home to cover debts related to a business.
The ruling has very far reaching implications and has generated conflicting opinions among digital rights advocates. It introduces some very positive - and some quite dangerous developments.
It is good news that internet companies such as Google, that operate in Europe but are headquartered elsewhere, will now have to comply with data protection laws and take responsibility for the data they process.
The court has also upheld that the "right to be forgotten" exists in European privacy law. But it has not fully considered the need to balance this "right" with the right to freedom of expression. This could create the potential for abuse by individuals who wish to hide damaging information. The court may have created a weak spot for censorship, where individuals don't bother to remove websites because the bar is too high in terms of proving libel or other harms. Instead it might be easier to ask Google to remove search results under data protection laws.
It is worth noting that the ruling will have an immediate impact in Spain, where hundreds of similar requests are awaiting resolution, but it will take some time to spread across other European legal systems. For now the ruling creates a precedent, and an incentive for Google to agree to requests for the removal of personal information without full consideration to freedom of expression.
1. Google has to fully comply with European data protection
Google has long claimed that it did not have# data protection obligations in Europe because Google Inc is the US company that holds the data, while local subsidiaries in Spain or the UK only run commercial activities. For example, Google offers you the option to download some personal data such as emails via their automated tools, but not to request all the information they hold on you, as they would have to do under EU law. The ruling demolishes this position and makes Google responsible if they "advertise and sell" in a member state.
2. Search engines are data controllers
Search engines have generally been seen as simply reproducing existing information. Most discussions on Google and personal data have looked at services such as email, location, etc. but not search results. The ruling defines the activities of search engines in relation to webpages with personal information - indexing, storing and making available - as "processing" under the terms of EU data protection law. Furthermore, Google is the "controller" that "determines the purposes and means of the processing".
3. The "right to be forgotten" already exists in European law
The "right to be forgotten" is based on the premise that outdated and irrelevant information can give a distorted picture of an individual, for example, preventing them from getting a job. This is a very real concern, but there is also a need to preserve a record of social history. Archivists are concerned that this right could mean rewriting history.
There have been fierce debates about the introduction of this right in new legislation, but the court has cut through the knot and found that no new legislation is needed. Existing laws, requiring the personal information that companies hold on people to be relevant and accurate, can be used to enforce this right.
The court did not fully engage with all the problematic wider implications of this right, as it simply considered search results and not the actual deletion of records. But many feel this is a cop out. Such major ruling on the "right to be forgotten" should lay out some criteria for when and how obsolete or distorting personal information should be removed from the public record, or at least made less accessible. This could mean for example stopping the indexing of public records and online archives by search engines and other processors. But it could also mean taking whole digital archives offline.
4. Being a data controller has far reaching implications
Labelling Google a data controller for search results goes beyond the right to delete information. It creates a seismic shift in the responsibilities that Google has to the people whose information appear in the searches. Given that Google indexes pretty much the whole public internet, this could affect anyone who is named in any website. For example, EU law places constraints on controllers around the export of data to certain countries with lower privacy protections. Data controllers have to give "data subjects" a copy of all the information they hold in them. There is even speculation could mean that people can now object to receiving adverts when they use the platform.
It remains to be seen how this can work in practice with millions of results involving potentially hundreds of people sharing the same name.
5. Publicly available information is subjected to data protection
This ruling is a reminder that many internet intermediaries are not exempt from data protection responsibilities. Just because personal information is publicly available it does not mean that you can do as you wish. This issue was considered in relation to open data by the Article 29 working group.
According to the court, the right to data protection of individuals trumps the "mere economic interest of the manager of the search engine" unless there is an explicit public interest. This will be important for many online projects processing personal data.
The court also mentions the need to consider the right to access the information of internet users, particularly if the person affected has a role in public life. But this balancing of privacy and freedom of expression is not really explored in the ruling.
What is clear from this and previous rulings is that public figures will have to expect a lower expectation of privacy, and generally should not be able to get their information deleted so easily.
6. Search engines have a separate responsibility from publishers
It appears surprising that the ruling supports the Spanish data authorities in allowing the original offending article to remain in place, while forcing Google to delete references to it. The ECJ makes a clear distinction between search engines and the publication of the information. This is consistent with the application of the principles above, but it creates a potential weak spot for online censorship.
A key aspect of this ruling is that it doesn't relate to libellous or defamatory information. It censors lawful content that contains personal information because it may yet cause detriment to individuals when processed by search engines because:
search engines can combine lawful information to generate a completely new insight. The court sees the search results relating to a person as a personal profile. This is not a neutral list of links because the information is organised (e.g. ranking, possibly removal of duplicate results, etc.)
search engines provide access to outdated information that before would simply disappear into dusty archives nobody visits, but now lingers on in accessible webpages. Without search engines you would need to know what you were looking for and make a special visit.
7. Google will now be tempted to remove links rather than contest requests
It is hard to evaluate the balance of competing rights involved in these cases. The ruling does not help Google decide in future cases. How old do websites have to be to become irrelevant, how public should a person be, how do you judge the public interest?
Should Google decide on this balance of rights? It is very unclear how the rights of the publisher will be safeguarded in an internal process by a private company. As a general principle, removal of websites, or search links, should be decided by a legal authority, not a business.
We are particularly concerned that the path of least resistance for Google will be to automate the removals. For Google it will be cheaper to delete links automatically and let others complain later on, than to consider the balance of rights in every request.
If any content has to be censored, with due process and consideration for the right to freedom of expression, this should be more consistent across the board.
It may not be the intention, but with the ruling appears to create a lower barrier for censoring search results than for hosting. Freedom of expression in the 21st century is not just about the right to publish, but also about being found online.